2 Replies Latest reply on Jan 23, 2013 3:52 PM by artek

    Brute force correlation - how to create working rule?

    artek

      Hello,

       

       

      I was asked by my customer about possibility to create the Brute force login correlation rule, resistant for false positives caused by success login between login failures.

       

       

      Problem is following: customer has many login failures caused by problems with scripts launched remotely by ssh. The server logs contain something like that (this is only schema):

       

       

      authentication failed

      authentication success

      authentication failed

      authentication success

      authentication failed

      authentication success

      authentication failed

      authentication success

      authentication failed

      authentication success

      authentication failed

      authentication success

      authentication failed

      authentication success

      authentication failed

      authentication success

      authentication failed

      authentication success

      authentication failed

      authentication success

       

       

      The standard "Brute force login..." rule hits always, when the correlation engine sees the 10 authentication failures in the 10 minutes window. In this case unfortunately this rule hits as well.

       

       

      Again - the rule "Success login after brute force login..." hits too, and it is, the same as in previous rule - only false positive...

       

       

      Does it possible to create "Brute force..." rule, that won't hit when between ten of authentication failures will be event regarding authentication success?

       

       

      Regards,

      Artur Sadownik

        • 1. Re: Brute force correlation - how to create working rule?
          parinya.ekparinya

          If our SIEM allowed us to define conditions to reset time window if conditions are met, I think we can do a lot better for cases like this one.

          I try to think it another way likes if our SIEM solution allowed us to use attribute value pairs so we can use that as well. Says, we count +1 for each failed and -1 for each success in 10 minutes time window for example.

           

          For your case, if it's only machine to machine activities can we ignore those activities using source IP & destination IP filters?

           

          Just my two cents!

           

          Regards,

           

          Parinya

          • 2. Re: Brute force correlation - how to create working rule?
            artek

            Hi Parinya,

             

            unfortunately in this case I can't to use source\destination filtering because customer want to use this correlation for that servers. I tried a lot of combinations, but without positive results. For example:

             

            ESM07.PNG

             

            Regards,

            Artur